[SHIBUI-1029]

Various attempts at getting from the AddNewUserFilter to our new /static.html page. No joy so far.
TIER · Jan 18, 2019 · d4f2026 · d4f2026
1 parent 0ebd02b
commit d4f2026
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 3 deletions.
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AccessDeniedHandler.java
@@ -0,0 +1,19 @@
+package net.unicon.shibui.pac4j;
+
+import org.springframework.security.access.AccessDeniedException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * @author Bill Smith (wsmith@unicon.net)
+ */
+public class AccessDeniedHandler implements org.springframework.security.web.access.AccessDeniedHandler {
+    @Override
+    public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
+        System.out.println("WOO! In handle!");
+        response.sendRedirect("/static.html");
+    }
+}
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java
@@ -9,6 +9,7 @@
 import org.apache.commons.lang.RandomStringUtils;
 import org.apache.http.entity.ContentType;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.crypto.bcrypt.BCrypt;
@@ -55,18 +56,21 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
                     user.setUsername(username);
                     user.setPassword(BCrypt.hashpw(RandomStringUtils.randomAlphanumeric(20), BCrypt.gensalt()));
                     Role noRole = roleRepository.findByName(ROLE_NONE).orElse(new Role(ROLE_NONE));
+                    roleRepository.save(noRole);
                     user.getRoles().add(noRole);
                     userRepository.save(user);
                     //TODO: Add call to email service here
                 } else {
                     user = persistedUser.get();
                 }
                 if (user.getRole().equals(ROLE_NONE)) {
+//                    throw new AccessDeniedException("DENIED!");
                     response.setContentType(ContentType.APPLICATION_JSON.getMimeType());
                     ((HttpServletResponse) response).setStatus(HttpStatus.FORBIDDEN.value());
                     response.getOutputStream().write(getJsonResponseBytes(
                             new ErrorResponse(String.valueOf(HttpStatus.FORBIDDEN.value()),
                                     "Your account is not yet authorized to access ShibUI.")));
+                    ((HttpServletResponse) response).sendRedirect("/static.html");
                     return;
                 } // else, user is in the system already, carry on
             }

diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ExceptionHandlerExceptionResolver.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/ExceptionHandlerExceptionResolver.java
@@ -0,0 +1,8 @@
+package net.unicon.shibui.pac4j;
+
+/**
+ * @author Bill Smith (wsmith@unicon.net)
+ */
+public class ExceptionHandlerExceptionResolver extends org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver {
+
+}
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/RestAuthenticationEntryPoint.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/RestAuthenticationEntryPoint.java
@@ -0,0 +1,20 @@
+package net.unicon.shibui.pac4j;
+
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * @author Bill Smith (wsmith@unicon.net)
+ */
+public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
+    @Override
+    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
+        System.out.println("WOO! In auth!");
+        response.sendRedirect("/static.html");
+    }
+}
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
@@ -12,6 +12,9 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.access.ExceptionTranslationFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 
@@ -23,6 +26,19 @@ public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(final Config co
         return new Pac4jWebSecurityConfigurerAdapter(config, userRepository, roleRepository);
     }
 
+    @Bean
+    public static AccessDeniedHandler accessDeniedHandler() {
+        return new net.unicon.shibui.pac4j.AccessDeniedHandler();
+    }
+
+    @Bean
+    public static ExceptionTranslationFilter exceptionTranslationFilter(AccessDeniedHandler accessDeniedHandler) {
+        ExceptionTranslationFilter exceptionTranslationFilter = new ExceptionTranslationFilter(new RestAuthenticationEntryPoint());
+        exceptionTranslationFilter.setAccessDeniedHandler(accessDeniedHandler);
+        exceptionTranslationFilter.afterPropertiesSet();
+        return exceptionTranslationFilter;
+    }
+
     @Configuration
     @Order(0)
     public static class FaviconSecurityConfiguration extends WebSecurityConfigurerAdapter {
@@ -55,7 +71,16 @@ protected void configure(HttpSecurity http) throws Exception {
 
             http.addFilterBefore(securityFilter, BasicAuthenticationFilter.class);
 
-            http.addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), BasicAuthenticationFilter.class);
+            http.addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), SecurityFilter.class);
+/*
+                    .exceptionHandling().accessDeniedHandler(accessDeniedHandler());
+            http.addFilterAfter(exceptionTranslationFilter(accessDeniedHandler()), ExceptionTranslationFilter.class);
+*/
+/*
+            ExceptionTranslationFilter customExceptionTranslationFilter = new ExceptionTranslationFilter(new RestAuthenticationEntryPoint());
+            customExceptionTranslationFilter.setAccessDeniedHandler(accessDeniedHandler);
+            http.addFilterAfter(customExceptionTranslationFilter, AddNewUserFilter.class);
+*/
 
             http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
 

diff --git a/pac4j-module/src/test/docker/conf/application.yml b/pac4j-module/src/test/docker/conf/application.yml
@@ -10,7 +10,7 @@ shibui:
     keystorePath: "/conf/samlKeystore.jks"
     keystorePassword: "changeit"
     privateKeyPassword: "changeit"
-    serviceProviderEntityId: "https://unicon.net/dev/shibui"
+    serviceProviderEntityId: "https://unicon.net/test/shibui"
     serviceProviderMetadataPath: "/conf/sp-metadata.xml"
     identityProviderMetadataPath: "/conf/idp-metadata.xml"
     forceServiceProviderMetadataGeneration: true
@@ -19,4 +19,4 @@ shibui:
 logging:
   level:
     org.pac4j: "TRACE"
-    org.opensaml: "INFO"
+    org.opensaml: "INFO"